I am currently using kv filter Logstash for parsing the log lines such as following

type=LOGIN msg=audit(1539751621.172:6100294): pid=72964 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2216742

I noticed an error in ES that "Limit of total fields [1000] in index [] has been exceeded" and when after increasing this limit via template I noticed strange mappings, such as below, being created for the index for these logs.